The document outlines the top 10 security challenges of 2006, highlighting the major issues such as security awareness among end users, vulnerability management, compliance with standards, and effective incident response. It emphasizes the risks associated with social engineering, data exposure through platforms like Google, and the importance of formal procedures for change management and patch management. Additionally, it addresses the dangers of outsourcing and the need for comprehensive disaster recovery and business continuity plans.

1. Top 10 Security Challenges/Issues 2006 Jorge Sebastião Founder and CEO [email_address] www.esgulf.com

2. Can if face the Challenge?

3. Top 10 Challenges Security Awareness & End Users Google Exposure Standards Compliance & Regulations Updates to ISO27001 Vulnerability Management Change Management & Coordination Mgmt Patch Management Effective Security Monitoring Incidence Response Managing Outsourcing Risk Disaster Recovery & Business Continuity, Crisis Management

4. 1. Security Awareness & End Users The #1 threat to security is people. Cause : Large growing user population, friendly applications. People weakness are caused by lack of knowledge. Threat : Illiteracy in how the internet works. Allows social engineering.

5. Social Engineering-Risk … 70 percent of those asked said they would reveal their computer passwords for a … Schrage, Michael. 2005. Retrieved from http://www.technologyreview.com/articles/05/03/issue/review_password.asp?p=1 Bar of chocolate

6. Phishing Stats

7. Phishing 101

8. Security & people is a complex processes Is doesn’t matter how strong you build a fortress there’s always a way around

9. 2. Google Exposure Google is #1 hackers tool. Cause : Any information posted or disseminated through internet can easily be recorded, indexed. Threat : Exposure of corporate as well as personal confidentiality.

10. Advanced Operators: “Filetype:” Google Hacking-Filetype

11. Advanced Operators “Intitle:” Intitle: search_term Find search term within the title of a Webpage Example: Find directory list: Intitle: Index.of “parent directory” Google Hacking-intitle

12. Personal Mailbox Intitle: Index.of inurl: Inbox (456) (mit mailbox) After several clicks , got the private email messages Google Hacking-Mailbox

13. 3. Standards Compliance & Regulations Updates to ISO27001 Examples: BS7799 now ISO27001, Basel1-Basel II, EMV2, HIPAA, AML, SOX… Cause : Compliance is not always a corporate priority (carrot and stick). Threat : Potential major regulators and government penalties and loss of corporate image. New regulations in various sectors such as financial, health, transportation

14. Multitude of changes to Governance ISO27001, before (ISO17799, BS7799) ISO20000 (before BS15000) EMV 2 (EMV) Basel 2 (Basel) SOX AML ISO90000 CoBIT PAS56 (new ISO…) HIPAA ...

15. Control Areas

16. Plan-Do-Check-Act Model PLAN: 1. Establish Security Policy and Objectives 2. Conduct Risk Analysis DO: 3. Implement Controls/Safeguards 4. Educate the Organisation CHECK: 5. Continuously Monitor and Review ACT: 6. Continuously Improve * The PDCA model is the strategy used in ISO9001 and ISO27001

17. Summary of Changes

18. Basel 2 - Time Table

19. 4. Vulnerability Management “ 99% of intrusions result from exploitation of known vulnerabilities or configuration errors where countermeasures were available” Cause : Large growing set of vulnerabilities and system weakness are caused by disclosure Threat : Vulnerabilities can be exploited and cause loss of Confidentiality, Integrity, Availability

20. Vulnerability/Exploit Life Cycle

21. Compromise is Costly Compromised systems may not be immediately identified To fully recover a compromised system, it must be taken offline Downtime of critical servers Time invested by administrators To restore the integrity of the system it must be validated Forensics may take days to complete Reinstall operating system and applications & all security patches Back-ups may contain altered data making it useless during recovery activities

22. Continuous Vulnerability Testing

25. Overview Audit

26. 5. Change Management & Coordination Mgmt We are always introducing change into the IT infrastructure in a uncontrolled way Cause : Large growing complexity of network, new technologies, new applications. Change forced from Vulnerability / Patch Management Threat : Unavailability of IT Infrastructure, potential lack of integrity. Potential loss of confidentiality

27. Change Management

28. Release Management

29. Change Mgmt Operation: Stabilize & Deploy Countermeasures New or changed countermeasures Track Plan Analyze Control Identify 1 2 3 5 4 Risk Statement

30. 6. Patch Management The high number of vulnerabilities results in high number of patches and patching cycles. Cause : Mandatory changes required to the make emergency correction in IT environment Threat : Patch Management can result in System integrity and Availability loss.

31. Patch Management Requires Processes People Technology Products, tools, and automation Consistent and Repeatable Skills, roles, and responsibilities

32. Patch Management Process 1. Assess Environment Tasks A. Baseline of systems B. Assess architecture C. Review configuration D. Discovery and Inventory 1. Assess 2. Identify 4. Deploy 3. Plan 2. Identify Patches Tasks A. Identify new patches B. Patch relevance C. Verify authenticity & integrity 3. Plan Patch Deployment Tasks A. Approval to deploy patch B. Risk assessment C. Plan release process D. Acceptance testing 4. Deploy Tasks A. Distribute & install patch B. Report on progress C. Handle exceptions D. Review deployment

33. 7. Effective Security Monitoring Cause : Lack of formal, integrated security monitoring for security events and potential incidents Threat : Un-ability to understand the level of exposure when being attacked.

34. Lack of effective Monitoring “… Close to 30% of companies indicated they would not be aware that their core business information had been altered until 12 to 24 hours later and roughly 30% would not be aware of a compromise for more than 2 days .” Source: CIO Magazine

35. Effective Monitoring requires Integrated Process Organization IT SOC SOC Logging 1. Integrated Log File 5. Respond 2. Encrypted Log Data 3. Analysis 6. (Ongoing) Vulnerability Test Pen Test Patching Incidence Response Knowledge 4. Alerting

36. Security Event Must be Correlated

37. 8. Incidence Response Cause : Lack of formal security incidence response process. Threat : Facilitated generally lack of integration of systems security. Unable to respond to attacks in timely manner.

38. Incidence Response Incident Response Analyse Contain Eliminate Restore Lessons Policy Refine Policy Continuous Monitoring T-1 T 0 T 1 T 1 T 3 T 4 T N Communicate

39. Incidence Response Functions Triage Incident Notification Escalation Incident Lifecycle

40. Incidence Response Workflow Event Correlation Event Database Security Analyst Incident Alert Form HelpDesk DATABASE Automatic Incident Alert Generation Security Analyst

41. Incident Response Lifecycle New Incident Reported by Analyst Reported by Customer Detected by Event Correlation Helpdesk DATABASE Tracking Number IR0012885 Tracking Number Assigned Progression Through Different Stages/States Security Analyst  Automatic Notification/Escalation

42. 9. Managing Outsourcing Risk Cause : Lack of formal analysis and measurement process to outsourcing risk management Threat : High level of risk exposure, run away uncontrolled risk. Complete loss of business.

43. Outsourcing Risk: Example1-Credit Card Fiasco Disclosure of 40Million Credit and Debit Cards Visa Stops Processing with CardSystem Solutions Judge: Visa and MasterCard won't have to inform customers that their personal details were exposed in a high-profile data security breach Credit bureaus to adopt data protection standards Credit card makers forced to scrutinize security

44. Outsourcing Risk: Example2- Call Center Leaks Credit Cards The Sun organized a sting where they caught a call center employee selling credit cards yet another incident where call center staffer was selling personal data. The data consisted of banking details of British customers, and was sold by people at an outsourced call center in India There are security risks to outsourcing, and there are security risks to offshore outsourcing. But the risk illustrated in this story is the risk of malicious insiders

45. Do you have an integrated risk mgmt plan?

46. 10. Disaster Recovery & Business Continuity, Crisis Management Cause : Lack of formal business continuity or disaster recovery process, crisis Management. Threat : Unable to respond to major disruptions or attacks causing complete system or organization unavailability.

47. Business Continuity Management EMERGENCY MANAGEMENT IT DISASTER RECOVERY FACILITIES MANAGEMENT HUMAN RESOURCES PHYSICAL SECURITY COMMUNICATIONS & PR KNOWLEDGE MANAGEMENT SUPPLY CHAIN MANAGEMENT BCM Scope – provides a Unifying Process QUALITY MANAGEMENT CRISIS MANAGEMENT RISK MANAGEMENT ENVIRONMENTAL MANAGEMENT Source: BSI PAS56

48. Assessment Executive Review Source :Dr David J Smith 2002

49. Mobile Response to Disaster

50. Are u ready for security? “… Don’t bring a knife to a gun fight …”

51. The « defence in depth »

52. Questions?